'authorization_code', 'code' => $code, ); $h = curl_init($token_endpoint); curl_setopt($h, CURLOPT_RETURNTRANSFER, true); curl_setopt($h, CURLOPT_TIMEOUT, 10); curl_setopt($h, CURLOPT_USERPWD, "{$client_id}:{$client_secret}"); curl_setopt($h, CURLOPT_POST, true); curl_setopt($h, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); curl_setopt($h, CURLOPT_POSTFIELDS, http_build_query($data)); //curl_setopt($h, CURLOPT_SSL_VERIFYPEER, false); $res = curl_exec($h); if ($res) { curl_close($h); $res = json_decode($res, true); if ( empty($res['error'] ) ) { // Validate signed JWT token using client's public key if ( $payload = decode_jwt($res['id_token'], PUBLIC_KEY, 'RS256') ) { // If Token Response is valid goto step 3 // Step 3. Get UserInfo $access_token = $res['access_token']; /* Auth Header Methode $headr = array(); $headr[] = 'Authorization: Bearer ' . $access_token; $h = curl_init(); curl_setopt($h, CURLOPT_URL, $userinfo_endpoint); curl_setopt($h, CURLOPT_RETURNTRANSFER, true); curl_setopt($h, CURLOPT_TIMEOUT, 10); curl_setopt($h, CURLOPT_HTTPHEADER, $headr); //curl_setopt($h, CURLOPT_SSL_VERIFYPEER, false); //*/ //* Post Methode $data2 = array( 'access_token' => $access_token, 'state' => $state, ); $h = curl_init($userinfo_endpoint); curl_setopt($h, CURLOPT_RETURNTRANSFER, true); curl_setopt($h, CURLOPT_TIMEOUT, 10); curl_setopt($h, CURLOPT_POST, true); curl_setopt($h, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); curl_setopt($h, CURLOPT_POSTFIELDS, http_build_query($data2)); //*/ $res = curl_exec($h); if ( $res ) { curl_close($h); $res = json_decode($res, true); if ( empty($res['error'] ) ) { // Check User ID if ( $payload['sub'] == $res['sub'] ) { // Everithing Ok ! echo "UserInfo Response:\n"; print_r($res); } else // User of ID Token doesn't match UserInfo's one exit('User mismatch, got : ' . $res['sub']); } else // Token request error exit ('UserInfo Request error : ' . $res['error'] . ' : ' . $res['error_description']); } else { // Curl error during UserInfo request exit('UserInfo Request error : ' . curl_error($h)); curl_close($h); } } else // Invalid id_token exit('Error : Invalid ID Token'); } else { // Token request error exit ('Token request error : ' . $res['error'] . ' : ' . $res['error_description']); } } else { // Curl error during Token request exit('Token Request error : ' . curl_error($h)); curl_close($h); } } else // Wrong State exit("Authorization error : incoherent State"); } else // Missing State exit("Authorization error : missing State"); } else { // Step 1. Authorization Code request @session_regenerate_id(); $state = session_id(); $_SESSION['state'] = $state; $data = array( 'response_type' => 'code', 'client_id' => $client_id, 'scope' => 'openid profile', 'state' => $state, ); $authorization_endpoint .= '?' . http_build_query($data); header('Location: ' . $authorization_endpoint); exit(); } } else { // Authorization error exit("Authorization error : {$_GET['error']} : {$_GET['error_description']}"); }